IDOR - Broken Authentication
IDOR - Background Info ; In its simplest and most common form, an IDOR vulnerability arises when the only input required to access or replace content is from the user. In our first example, whats stopping someone from checking another users ID and getting all their information ? This code example demonstrates how this can occur. The server is taking in the users id and directly displaying that information. To fix this the server shouldn't believe the user, but rather extract the session ID and check on the backend. In case of Serverless checks, the application must have a mechanism to check a signature (JWT). Forced Browsing ; Similar to IDOR, forced browsing can occur if the application exposes a direct reference to a file location. Here an attacker can visit the link and retrieve the image even though it is a private image. UUID - Safe? Think not.. Consider the server accepts arbitrary uuid's from the user, yet the uuid is too long and random to guess.